itlawwikiaorg-20200214-history
Chain of custody
Definitions Authentication Electronic evidence When dealing with electronic evidence, two different chains of custody are involved: the physical item itself and its associated data. It is important for law enforcement to: * Know the accreditation standards and laboratory policies, procedures, or other guidelines, if any, regarding chain of custody, both generally and for electronic evidence specifically. Determine whether they have been followed or whether a deviation has occurred. * Understand the effect that all deviations may have on the case and be prepared to explain them. Also be aware that the policies, procedures, or other guidelines should be dynamic. The prosecution team must know which practices were applicable at the time the examination was conducted. * Ask employees (e.g., information technology staff, security) of a victimized company a series of questions pertaining to the preliminary handling of any electronic evidence they have provided or will provide to law enforcement. Care should be taken, however, to avoid creating an unintended agency relationship between law enforcement and a private citizen employee who has or is considering handling potential electronic evidence. One advantage of inquiring about these issues is to ensure the proper collection of electronic evidence when law enforcement becomes involved in a case. If the evidence is still on the original medium but the initial procedure used to gather the information was less than ideal, law enforcement may be in a position to resolve evidentiary issues even if they cannot perform their own collection process. To reinforce adherence to traditional chain-of-custody procedures, law enforcement investigating a case should ask the following questions to determine how evidence was handled before they became involved. 1. What types of electronic evidence have been collected prior to the involvement of law enforcement? For example, in a cyberstalking case, does a hardcopy (printed) version of the e-mail exist? Is an electronic copy available? Does it contain full header information? 2. Who handled the evidence? :a. Document the name and job function of each individual who handled the electronic evidence. Be aware that more than one person could be involved in this process. :b. Identify everyone who had control of the electronic evidence after it was examined and before it was given to law enforcement. 3. How was the electronic evidence collected and stored? :a. Identify all tools or methods used to collect the electronic evidence. :b. Determine who had access to the electronic evidence after it was collected — anyone with access to the evidence should be considered part of the chain of custody. Account for all storage of data. 4. When was the evidence collected? Document the date and time when the evidence was gathered (including a reference to time zone if necessary). Careful documentation will enable the prosecutor and the prosecution witnesses to use a timeline to demonstrate the collection of evidence during its introduction and explanation at trial. Keep in mind that the collection of evidence might be an ongoing process. 5. Where was the evidence when it was collected? In addition to the traditional "where" questions (e.g., "in which room was the computer found?"), other issues related to electronic evidence can arise. Be aware that electronic evidence may exist in more than one location simultaneously (e.g., e-mail may be located on the sender's computer, the recipients' computers, and their respective ISPs). Consider the following questions: :* What kind of machine/device held the electronic evidence (is a serial number present)? :* Who had access to the machine/device? :* Who owned the machine/device? :* Was the machine/device shared? :* Was information retrieved from a network? :* Was information password protected? :* Who had access to the password-protected information? :* Is the data located at an off-site location? General Chain of custody is Preservation Chain of custody is References See also * Provenance Category:Evidence Category:Data Category:Definition